[mental note: crtl+enter in claws is a shortcut for "send message". Do not use]
Hi,
does anyone here have experience with adding CA certificates to Debian? My ISP
is using "USERTrust Legacy Secure Server CA" as its issuer and that CA does not
appear to be included in ca-certificates.
I have not been able to find the corresponding certifcate via UTN's (now
Comodo's) website, I had to use a search engine to point me to
tbs-x509.com to find the certificate. So much for trustworthiness... any way,
the certificate appears legit since it does complete the
certificate chain:
:~/tst$ openssl s_client -connect pop3.concepts.nl:995 -showcerts -CApath .
depth=2 /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits
liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server
Certification Authority
verify return:1
depth=1 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/CN=USERTrust
Legacy Secure Server CA
verify return:1
depth=0 /C=NL/postalCode=4817 KK/ST=Noord-Brabant/L=Breda/street=St
Ignatiusstraat 265/O=Concepts ICT/OU=Techniek/OU=Comodo PremiumSSL
Legacy/CN=pop3.concepts.nl
verify return:1
[..]
Verify return code: 0 (ok)
Now, according to /usr/share/doc/ca-certificates/README.Debian I should be able
to drop this certificate in /usr/local/share/ca-certificates,
run update-ca-certificates and be done with it. But this does not appear to be
sufficient, because I still get this:
:~/tst$ openssl s_client -connect pop3.concepts.nl:995 -showcerts
depth=0 /C=NL/postalCode=4817 KK/ST=Noord-Brabant/L=Breda/street=St
Ignatiusstraat 265/O=Concepts ICT/OU=Techniek/OU=Comodo PremiumSSL
Legacy/CN=pop3.concepts.nl
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=NL/postalCode=4817 KK/ST=Noord-Brabant/L=Breda/street=St
Ignatiusstraat 265/O=Concepts ICT/OU=Techniek/OU=Comodo PremiumSSL
Legacy/CN=pop3.concepts.nl
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=NL/postalCode=4817 KK/ST=Noord-Brabant/L=Breda/street=St
Ignatiusstraat 265/O=Concepts ICT/OU=Techniek/OU=Comodo PremiumSSL
Legacy/CN=pop3.concepts.nl
verify error:num=21:unable to verify the first certificate
verify return:1
[..]
Verify return code: 21 (unable to verify the first certificate)
Oddly enough (for me at least), when I manually specify the CApath to the
system default, it does work:
:~/tst$ openssl s_client -connect pop3.concepts.nl:995 -showcerts -CApath
/etc/ssl/certs/
depth=2 /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits
liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server
Certification Authority
verify return:1
depth=1 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/CN=USERTrust
Legacy Secure Server CA
verify return:1
depth=0 /C=NL/postalCode=4817 KK/ST=Noord-Brabant/L=Breda/street=St
Ignatiusstraat 265/O=Concepts ICT/OU=Techniek/OU=Comodo PremiumSSL
Legacy/CN=pop3.concepts.nl
verify return:1
:~/tst$ openssl verify /etc/ssl/certs/USERTrustLegacySecureServerCA.pem
/etc/ssl/certs/USERTrustLegacySecureServerCA.pem: OK
So, the correct certificate appears to be installed in /etc/ssl/certs, it
appears to be valid, yet I cannot connect unless I specify an explicit path to
the certificate file. What am I missing here?
Regards,
Arno
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/snt108-w17915fbe3bfaddff1c46c3b8...@phx.gbl
